A rubber ducky is a cute small kid’s bath toy, isn’t it? It used to be that way, but now a potentially harmful hacking tool goes by this seemingly innocent name. The rubber ducky has the same appearance as any other USB flash drive, but when it is inserted, the computer interprets it as a keyboard and lets the “keyboard” enter a range of previously programmed keystrokes. This tool is supposed to be used for penetration testing. Rubber duckies can be used by security professionals to assess the resilience of their computer systems. Yet there are numerous internet guides and tutorials that explain how to use the rubber ducky for keyboard injection attacks as well.
To the untrained eye, the USB Rubber Ducky appears to be an ordinary USB flash drive. When you plug it into a computer, the machine recognizes it as a USB keyboard, which implies it acknowledges keystroke instructions from the device just as if you were typing them in. It makes use of the built-in trust paradigm, where computers have been trained to trust a person, by treating everything it types with the same level of trust as the user. And a computer is aware that most interactions with people involve clicking and typing.
About ten years ago, the first Rubber Ducky was released, quickly becoming a hacker favorite (it was even featured in a Mr. Robot scene). Since then, there have been a number of small upgrades, but the most recent Rubber Ducky takes a giant step ahead with a number of new features that significantly increase its flexibility and capability.
The options are nearly unlimited with the proper strategy. The Rubber Ducky has already been used to launch attacks including making a phony Windows pop-up window to collect a user’s login information or tricking Chrome into sending all saved passwords to an attacker’s web server. Nevertheless, these attacks lacked the adaptability to operate across platforms and had to be specifically designed for particular operating systems and software versions.
To get around these restrictions, there is a new Rubber Ducky. To construct the instructions that the Rubber Ducky would enter into a target machine, it comes with a significant improvement to the DuckyScript programming language. DuckyScript 3.0 is a feature-rich language that allows users to write functions, store variables, and apply logic flow controls, in contrast to earlier versions that were primarily limited to scripting keystroke sequences (i.e., if this… then that).
This implies that, for instance, the new Ducky can check to see if it is hooked into a Windows or Mac computer and then conditionally run code specific to each one, or it can disable itself if it has been attached to the incorrect target. In order to provide a more human effect, it can also generate pseudorandom numbers and utilize them to add a configurable delay between keystrokes.
The ability to steal data from a target computer by encoding it in binary code and transferring it through the signals intended to instruct a keyboard when the NumLock LEDs or CapsLock should light up is perhaps its most astounding feature. By using this technique, a hacker may plug it in for a brief period of time, excuse themselves by saying, “Oh, I think that USB drive is faulty,” and then take it away with all the credentials stored on it.
In summary, the threat could be huge one, but because physical device access is required, most people aren’t in danger of becoming a victim. The new Rubber Ducky was the most popular item at Def Con since the 500 or so units that Hak5 brought were all sold out on the first day. Hundreds of hackers already possess one, so it’s safe to conclude that demand will likely persist for some time.
Moreover, an online development suite is included, which can be used to create attack payloads, compile them, and then load them onto the target device. Also, it’s simple for users of the software to interact with a larger community: a “payload hub” component of the website allows hackers to easily share what they’ve built, and the Hak5 Discord is also lively with discussion and useful advice.
It’s too expensive for most individuals to distribute in volume, so unless your favorite cafe is renowned for being a hangout among vulnerable targets, it’s doubtful that someone will leave a few of them there. To that end, if you intend to plug in a USB device that you discovered outside in a public area, pause to consider your decision.
Although the device is quite straightforward to use, there are a few things that could cause you trouble if you have no prior expertise writing or debugging code.